# Publicity of data model entities

The data model serves as a facade of your data and enables running
[queries][ref-queries] via a [rich set of APIs][ref-apis] by referencing data
model [entities][ref-data-modeling-concepts]: cubes, views, and their members.
Controlling whether they are public or not helps manage data access and expose
a coherent representation of the data model to end users.

By default, all cubes, views, measures, dimensions, and segments are *public*,
meaning that they can be used in API queries and they are visible during data
model introspection.

## Managing publicity

You can explicitly make a data model entity public or private by setting its
`public` parameter to `true` or `false`. This parameter is available for
[cubes][ref-cubes-public], [views][ref-views-public], [measures][ref-measures-public],
[dimensions][ref-dimensions-public], and [segments][ref-segments-public].

<InfoBox>

In [development mode][ref-dev-mode] and in [Playground][ref-playground], access
control checks are disabled and all `public` parameters are ignored. It helps
you conveniently debug the data model by using private data model entities in
API queries and during data model introspection.

</InfoBox>

### Dynamic data models

You can also control whether a data model entity should be public or private
[dynamically][ref-dynamic-data-modeling].

In the example below, the `customers` view would only be visible to a subset
of [tenants][ref-multitenancy] that have the `team` property set to `marketing`
in the security context: 

```yml filename="model/views/customers.yml"
views:
  - name: customers
    public: "{{ is_accessible_by_team('marketing', COMPILE_CONTEXT) }}"
```

```python filename="model/globals.py"
from cube import TemplateContext

template = TemplateContext()

@template.function('is_accessible_by_team')
def is_accessible_by_team(team: str, ctx: dict) -> bool:
  return team == ctx['securityContext'].setdefault('team', 'default')
```

If you'd like to keep a data model entity public but prevent access to it
anyway, you can use the [`query_rewrite` configuration option][ref-query-rewrite] for that.

## Best practices

### Cubes and views

If your data model contains both [cubes][ref-cubes] and [views][ref-views],
it's recommended to keep cubes private and only expose views to visualization
tools. Doing so, you will have more control over queries that can be run
against the data model.

<Diagram src="https://ucarecdn.com/bfc3e04a-b690-40bc-a6f8-14a9175fb4fd/" />

### Members

If you have measures or dimensions that are not intended to be exposed to end
users, it's recommended to keep them private. Often, such auxiliary members
would be used in [calculated measures and dimensions][ref-calculated-members].

<CodeTabs>

```yaml
cubes:
  - name: users
    sql_table: users

    dimensions:
      - name: first_name
        sql: first_name
        type: string
        public: false

      - name: initial
        sql: "LEFT({first_name}, 1)"
        type: string



```

```javascript
cube(`users`, {
  sql_table: `users`,

  dimensions: {
    first_name: {
      sql: `first_name`,
      type: `string`,
      public: false
    },

    initial: {
      sql: `LEFT(${first_name}, 1)`,
      type: `string`
    }
  }
})
```

</CodeTabs>


[ref-data-modeling-concepts]: /product/data-modeling/concepts
[ref-apis]: /product/apis-integrations
[ref-queries]: /product/apis-integrations/queries
[ref-cubes-public]: /reference/data-model/cube#public
[ref-views-public]: /reference/data-model/view#public
[ref-measures-public]: /reference/data-model/measures#public
[ref-dimensions-public]: /reference/data-model/dimensions#public
[ref-segments-public]: /reference/data-model/segments#public
[ref-cubes]: /product/data-modeling/concepts#cubes
[ref-views]: /product/data-modeling/concepts#views
[ref-calculated-members]: /product/data-modeling/overview#4-using-calculated-measures
[ref-multitenancy]: /product/configuration/advanced/multitenancy
[ref-dynamic-data-modeling]: /product/data-modeling/dynamic
[ref-query-rewrite]: /reference/configuration/config#query_rewrite
[ref-dev-mode]: /product/configuration#development-mode
[ref-playground]: /product/workspace/playground